Description
Principles of Incident Response And Disaster Recovery 2nd Edition By Michael – Test Bank
Chapter 5: Incidence Response: Detection and Decision Making
TRUE/FALSE
1.According the to NIST definition of an event as “any observable occurrence in a system or network,” all events are computer or network oriented.
ANS: F PTS: 1 REF: 167
2.To help make the detection of actual incidents more reliable, there are three broad categories of incident indicators that have been identified: possible, probable, and definite.
ANS: T PTS: 1 REF: 168
3.Most modern antivirus/anti-malware utilities cannot detect rootkits.
ANS: F PTS: 1 REF: 171
4.The Windows Task Manager can be used to seek out Trojan programs on Microsoft Windows computers.
ANS: F PTS: 1 REF: 176
5.Many attacks come through ports and then attack legitimate processes to allow themselves access or to conduct subsequent attacks.
ANS: T PTS: 1 REF: 197
MULTIPLE CHOICE
1.The process of evaluating the circumstances around organizational events includes determining which adverse events are possible incidents, or ____.
|
a. |
critical violations |
c. |
hacker intrusions |
|
b. |
incident candidates |
d. |
service alarms |
ANS: B PTS: 1 REF: 167
2.A(n) ____ is a sign that an adverse event is underway and has a probability of becoming an incident.
|
a. |
precursor |
c. |
indication |
|
b. |
inactive system |
d. |
signal |
ANS: C PTS: 1 REF: 168
3.A(n) ____ is a sign that an activity now occurring may signal an incident that could occur in the future.
|
a. |
precursor |
c. |
indication |
|
b. |
inactive system |
d. |
signal |
ANS: A PTS: 1 REF: 168
4.A ____ rootkit is one that becomes a part of the system bootstrap process and is loaded every time the system boots.
|
a. |
user-mode |
c. |
kernel-mode |
|
b. |
memory-based |
d. |
persistent |
ANS: D PTS: 1 REF: 170
5.In the event that a definite indicator is recognized, the corresponding ____ must be activated immediately.
|
a. |
alarm |
c. |
rootkit |
|
b. |
IR plan |
d. |
IDPS |
ANS: B PTS: 1 REF: 172
6.Most organizations will find themselves awash in incident candidates at one time or another, and the vast majority will be ____.
|
a. |
definite indicators |
c. |
unusual system crashes |
|
b. |
reported attacks |
d. |
false positives |
ANS: D PTS: 1 REF: 173
7.The ongoing activity from alarm events that are accurate and noteworthy but not necessarily significant as potentially successful attacks is called ____.
|
a. |
confidence |
c. |
tuning |
|
b. |
false positive |
d. |
noise |
ANS: D PTS: 1 REF: 184
8.A(n) ____ is the set of rules and configuration guidelines governing the implementation and operation of IDPSs within the organization.
|
a. |
attack stimulus |
c. |
site policy |
|
b. |
confidence |
d. |
IR policy |
ANS: C PTS: 1 REF: 185
9.The ____ of a hub, switch or other networking device is a specially configured connection that is capable of viewing all the traffic that moves through the entire device.
|
a. |
monitoring port |
c. |
TCP/IP sensor |
|
b. |
external router |
d. |
IDPS console |
ANS: A PTS: 1 REF: 189
10.The use of IDPS sensors and analysis systems can be quite complex. One very common approach is to use an open source software program called ____ running on an open source UNIX or Linux system that can be managed and queried from a desktop computer using a client interface.
|
a. |
Sniff |
c. |
Match |
|
b. |
Snort |
d. |
Detector |
ANS: B PTS: 1 REF: 190
11.Using a process known as ____, network-based IDPSs look for attack patterns by comparing measured activity to known signatures in their knowledge base to determine whether or not an attack has occurred or may be under way.
|
a. |
packet sniffing |
c. |
traffic measurement |
|
b. |
port monitoring |
d. |
signature matching |
ANS: D PTS: 1 REF: 191
12.In an attack known as ____, valid protocol packets exploit poorly configured DNS servers to inject false information to corrupt the servers’ answers to routine DNS queries from other systems on that network.
|
a. |
denial-of-service (DoS) |
c. |
port mirroring |
|
b. |
DNS cache poisoning |
d. |
evasion |
ANS: B PTS: 1 REF: 192
13.The ____ approach for detecting intrusions is based on the frequency with which certain network activities take place.
|
a. |
signature-based IDPS |
c. |
anomaly-based IDPS |
|
b. |
knowledge-based IDPS |
d. |
host-based IDPS |
ANS: C PTS: 1 REF: 205
Reviews
There are no reviews yet.